Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:39
General
-
Target
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
-
Size
674KB
-
MD5
1c0fbff0f6a18ce6d05e0026b7423b64
-
SHA1
f422c94cc824c175802df15408114b6284918e17
-
SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
-
SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-gifixtg.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\kwivvrl.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all2⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
45ebd9f4549b39a53e154e3e3623dd31
SHA18c54554d4426d8c7e38937e739e652cddae0eaa4
SHA25681123ec2785f5854f168d86c98350198ab63b39fc7b47f6fbbf7ca255dd4c88b
SHA5127db324139e3b486304b30added569e41ce74cb0928010f4afa019b71d3a8b64f7861ccc87ef7be13d4e8e4c308fca98bb0bbf69a85d5e90e33c5a7d204ed6aa9
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
45ebd9f4549b39a53e154e3e3623dd31
SHA18c54554d4426d8c7e38937e739e652cddae0eaa4
SHA25681123ec2785f5854f168d86c98350198ab63b39fc7b47f6fbbf7ca255dd4c88b
SHA5127db324139e3b486304b30added569e41ce74cb0928010f4afa019b71d3a8b64f7861ccc87ef7be13d4e8e4c308fca98bb0bbf69a85d5e90e33c5a7d204ed6aa9
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
92c14d4b61232dd56bcc3e1ee03d9388
SHA1f34f9a88155642f94a8de37a497703ab72014a22
SHA2563994e4eacfa487acb8fe307ec95d2048c0b7adb94dab796beb9a3dfae00386aa
SHA512e3ad581248cb7f154eb9db288c28188735ffb2d926c741e3e247e43cfaf5d24549b03636af73802ad79a746e946c25d2a63c30bf4280c6afeeef07eaea7d7eff
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
a983755b4701cfcc2be111cdee9e7d2d
SHA10aa3d3d23f3eaa3cb085e6d06c890ec2b3dea76e
SHA256e83c1c3939d51f792fa9431238588490fcbfbe434b9b25898cbd71ba532c9d91
SHA51254036717dd6153b0a9f257f0199e662435a29ff0f0fb9a6df5ca66d5e70ba027b209d85c1443a289de343e76795b897236c7fee345b3851a5dc5dfe660d3c8b2
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
355140c80b6de146f44c40b27df8c311
SHA15c76a1b2cc6618f7e14b0d757996458b0c5fa445
SHA256af9b5a44e60bf47e914ef8d85296191b9462e65bfbc3902afb95f519dcc457b5
SHA512471c18e34cc639896610881d55505c3c97be18e5ed8713258b1c506dc08954c8242a4544cd1cf94993491dd76150d82b7ac3accf8c19f539a142a1cf51fb95e9
-
C:\ProgramData\kwivvrl.htmlMD5
fa1222720800c2b28e18f55864bac742
SHA1d957d7223d1a4180b00ec3dc4e801260c58b7879
SHA2567ee4dedf8b9ec63fc6323134d9cbe336b7c4c7a7cd641577e8c4181817aa372f
SHA51273ae648fa63774a0755cfe30417e0e6a7ed769c3956406871a92bb6633ee69be00b39672b5ad655accead9158c571878228430f78e6c173366b0e7d78aa34825
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
memory/736-120-0x000000002D070000-0x000000002D0E7000-memory.dmpFilesize
476KB
-
memory/1912-119-0x0000000001760000-0x00000000019AB000-memory.dmpFilesize
2.3MB
-
memory/2496-128-0x0000000000000000-mapping.dmp
-
memory/2496-131-0x00000000004B0000-0x00000000006FB000-memory.dmpFilesize
2.3MB
-
memory/3148-114-0x0000000000DB0000-0x0000000000FCA000-memory.dmpFilesize
2.1MB
-
memory/3148-115-0x0000000000FD0000-0x000000000121B000-memory.dmpFilesize
2.3MB
-
memory/3860-127-0x0000000000000000-mapping.dmp